View Issue Details

IDProjectCategoryView StatusLast Update
0001482Infrastructure hostgeneralpublic2020-08-09 09:25
ReporterSaT Assigned Tojandd  
Status newResolutionopen 
Summary0001482: Limit validity period of new HTTPS certificates to one year
DescriptionAccording to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision.

CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years.

TagsNo tags attached.


has duplicate 0001494 closed Main CAcert Website Shorten certificate lifetime to one year 
related to 0000775 needs reviewegal Main CAcert Website A org ceritficate is only valild one year 
related to 0001464 newTed Main CAcert Website Support ACME protocol for issuing certificates 



2020-06-27 13:11

reporter   ~0005894

I have read the comments at Heise and come to the following conclusion:
1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year)
2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable:
As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications.
See among others the following article at Heise:
(they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others)

The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration.


2020-08-09 09:25

administrator   ~0005900

I just had a look at Apple's page cited above. There the Statement is "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS."

Chromium's statement is "Enforce publicly trusted TLS server certificates ...", which is not as specific as Apple's, but could be interpreted the same way...

Issue History

Date Modified Username Field Change
2020-06-27 09:30 SaT New Issue
2020-06-27 09:30 SaT Assigned To => jandd
2020-06-27 13:11 L10N Note Added: 0005894
2020-06-27 14:15 Ted Relationship added related to 0000775
2020-06-27 14:22 Ted Relationship added related to 0001464
2020-08-07 22:47 L10N Relationship added has duplicate 0001494
2020-08-09 09:25 Ted Note Added: 0005900